#securityoperation

SIEMs are mandatory tools for forensic security teams, aggregating logs from a multitude of sources, exploring within a dataset, and auditing thoroughly. But anyone who’s tried to run their security operations solely on a SIEM (Security Information and Event Management), knows all too well its limitations:

1. Hard to connect the dots

One of the major challenges when using security monitoring and analytics tools is how to deal with the high number of alerts and false positives. Even when the most straightforward policies are applied, SIEMs end up alerting on far too many incidents that are neither malicious nor urgent. The goal is not to be alerted on every possible incident, but to identify, in real-time, the incidents driven by actual malicious activity. Getting there can be a cumbersome process, requiring detailed investigation and a series of diagnoses. Typical scenarios might include: pinpointing the IP address of the suspicious user activity, identifying the relevant logs and determining, which devices were affected. Only then can a researcher decide if the threat is real. Connecting the dots is indeed cumbersome and time-consuming. During this process the race against the attackers is at risk and a backlog of unhandled incidents is created.

2. Insufficient correlation rules

The out-of-the-box, correlation rules of traditional SIEM solutions are insufficient to address the needs of today’s organizations. They need to be extensively configured to meet the unique requirement of the organization. This a time-consuming task requiring significant technical understanding of the organization’s cybersecurity infrastructure.

Another major challenge lies in the fact that it’s impossible to create rules broad enough to factor every conceivable event. New threats are continually emerging and changing and SIEMs need to be continuously maintained in order to adapt to the evolving landscape. The result is that most SIEMs end up running with limited coverage, particularly around correlation of activities.

3. Challenging user-experience

SIEMs are capable of monitoring logs from a multitude of locations at once, striving to eliminate the risk of missing important events. They receive information from various endpoints by pulling or accepting pushed event data, triggering alerts according to predefined correlation rules. Using SIEM dashboards, SOC teams should be able to view and analyze event information in real-time. However, as the organization’s network expand and data accumulates, security professionals are unable to see the log’s origin, user identities, user activities, and if they could be a potential threat.

SIEMs typically show all network and log activities in a tabular format, making it difficult to quickly get insights from the data. Even if the event data is organized by categories with defined policies, viewing the entire network in one consolidated display is still challenging.